问题
I have defined my security policy as:
default-src 'self'; script-src 'self'; frame-src 'self'; style-src 'self' 'unsafe-inline';
(I still have CSS at the head of several pages).
I have no trouble with Firefox or Chrome (IE doesn't support CSP yet) but, when I try testing in Safari, I get a string of errors like:
Refused to load style from 'http://localhost/styles/alliance.css' because of Content-Security-Policy.
.
.
.
Refused to load image from 'http://localhost/images/Landing1.jpg' because of Content-Security-Policy.
.
.
.
Refused to load script from 'http://localhost/JQuery/jquery-1.7.2.min.js' because of Content-Security-Policy.
The images should be covered by default-src and the other two are listed as "Self" so I don't know why Safari is not accepting my images and scripts. I do not have a Mac so I am using Safari on Windows (5.1.7).
Any ideas? Thank you!
回答1:
Safari 5 is a bit behind in its implementation of CSP. Safari 6 is much better, but I don't think its been released for Windows. I think you're simply seeing implementation bugs. If WebKit nightlies are available for Windows, that might be a good alternative for testing.
Honestly, though, I wouldn't recommend serving the X-WebKit-CSP header to Safari 5. Safari 6, yes, but 5 is a bit too broken to really use.
Note also that you can simplify your policy. Both script-src and frame-src will fall back to default-src. default-src 'self'; style-src 'self' 'unsafe-inline' should have the same effect.
来源:https://stackoverflow.com/questions/13663302/why-does-my-content-security-policy-work-everywhere-but-safari